FR2837301A1 - Medical database system for storage and exchange of medical data files comprises a database management server in which primary patient identifier tables are stored with the identifiers used to label all subsequent patient data - Google Patents

Abstract

Method for storage and exchange of medical data files using a database management server and an unlimited number of servers across which the data files are stored. For each file two primary identifiers are defined and stored in a primary database table that is subsequently used to access the files. Secondary database tables contain patient data with each table having a data identifier that is calculated from the primary identifiers using an appropriate algorithm.

Description

possibly printing or file transfer. The invention is

  relates to the electronic exchange sector of .....

safe medical data.

  Despite an increasingly important presence of IT in the world of health, the establishment of computer medical records has still not been carried out, which has not allowed to create real exchanges between prescribers (usually doctors), hospitals and prescribed, such as pharmacists, biologists, nurses, physiotherapists, If medical database management systems are currently not developed, it is mainly due to legislative constraints. In fact, to collect medical information from separate sources and group it in individual medical files, it is necessary to identify, without risk of error, the patient to whom each data relates. This requires that each healthcare professional has, for each patient, a permanent and unique common identifier, allowing the patient to be recognized as

  as the different medical stages he faces.

  Only the INSEE number can play this role. However, its use as an identifier in a computer processing is prohibited by law, except, by way of derogation for the processing linked to electronic vein sheets and file consolidations carried out by the taxman. It is therefore prohibited to use this number as the identifier of the data owner in a Database Management System (DBMS) or in a computerized medical record. It is also not possible to create treatments

2 2837301

  consolidating, patient by patient, medical data or linking medical prescriptions to their economic cost, to set up a

  effective analysis of health expenditure.

  From this state of the art, the problem that the invention proposes to solve is the creation of a permanent patient identifier:

  (IPPV), which can also be used in computer processing.

  The existence of such (IPPV) makes it possible in particular to constitute individual medical files, including all the economic data necessary 0 for monitoring costs and, more generally, to allow the tracing of all

medical data.

  The use of this (IPPV) in computer processing makes it possible to constitute perfectly anonymous medical (DBMS), since they do not need to contain information likely to allow the identification of the owners. This anonymity of the data allows their free and secure statistical exploitation; it provides pharmaceutical companies, or health insurance companies, with

  totally non-existent medico-economic data to date.

  The (IPPV) also makes it possible to set up individual monitoring of electronic secure prescriptions for ['all of the

  health professionals led to intervene in the treatment of a patient.

  The principle, on the basis of the invention, is to calculate, from VITAL cards, an individual electronic key which allows to trace

  anonymously and individually the medical data of each patient.

3 2837301

  Advantageously, the method according to the invention can be implemented via the INTERNET. It is 100% compatible with the VITAL system and does not require a specific internet access provider. It can run on all hardware platforms and all operating systems on which the VITALE system is available. According to the process on which the invention is based, the identifier (IPPV) for the patient chosen from those appearing on the card is calculated from a VITAL card, using an irreversible and injective algorithm.

  applies to certain data read from the card.

  This (IPPV) is sent to a server as a parameter of a

connection opening request.

  The server searches if a folder corresponding to this (IPPV) exists.

  If yes, the server opens a connection and sends the client an identifier characterizing this connection. The client then uses this "connection identifier" to consult and modify the file

correspond to the initial (IPPV).

  Otherwise, the connection request is rejected.

  Establishing a connection can be done with or without presence

  a professional health card (CPS).

  If there is no (CPS), it is impossible to modify the content

  medical file. Access is established in read only mode.

  It is not possible to delete data from the file. A data can only be replaced by a more listed <<version>>, but

the old one is never erased.

1 1

4 2837301

  The presence of a (CPS) is essential to add medical data to a file. Each medical data of a file is stored with the identifier of the (CPS), the date and time at which the operation was recorded and an electronic signature which guarantees the integrity and the authentication of the trio << (CPS ) / Date / Content of the data >>. The data in a file is completely anonymous and contains no information relating to the patient's identity or social security. It is possible to use several cards (Vitale or other) to

1 o access the same file.

  The invention is set out below in more detail with the aid of the figures of the accompanying drawings in which: - Figure 1 is a view, of purely schematic nature, showing an example of implementation of the method according to the invention; - Figure 2 is a method of calculating the different identifiers and

corresponding algorithms.

  For a better understanding of the rest of the description, we

  designated by: To (cnv): correspondence table between file identifiers and patient identifiers; To (cnx): connection table; To (CPS): Chip card for identification of a health professional; À (dse): table used to store the kernel of each folder; l

2837301

  In (states), (go), (vacci), (medica), (ekg) and (hpr): secondary tables used to store the medical content of the file. Each record of these tables has an electronic signature which guarantees integrity and authentication; À (Vitale): Chip card which equips almost all French social security; To (data!): Patient identifier calculated from (IPPV); To (idcnx): identifier of a connection, appearing in each record of the table (cnx); lo À (iddossier), (data), (id3) and (md3): file identifiers; To (idps): the identification number of the health professional read on the (CPS) present when opening a connection; To (IPPV): Virtual Permanent Patient Identifier calculated from data from the Carte Vitale; To (md3): the identifier of the table (dse); To (mda): the identifier of the table (go); To (mde): the identifier of the table (states); To (mdh): the identifier of the table (hpr); To (mdk): the identifier of the table (ekg); To (mdm): the identifier of the table (medica); To (mdv): the table identifier (vacci); To (nba): alea used for the control of the continuity of the exchanges of a connection;

To (PS): health professional.

  According to the invention, an identifier for each beneficiary appearing on this card is calculated from the VITAL card, by means of a J c

6 2837301

  electronic signature algorithm of the type (MD5) perfectly known to a person skilled in the art. We then send the calculated identifier to a servour able to create individual medical files and to associate each identifier with a medical file, in a secure manner. This principle is illustrated diagrammatically in Figure 1. We denote by (1) the VITAL card of the patient, by (2) the reader of a health professional in which wind inserted his professional card and the VITAL card, by (3 ) the INTERNET link, by (4) an authentication server, by (5) a server authorizing access to

  service, by (6) the database management system (SGDB).

  The structures of access and storage of (dse) are described below.

  A folder consists of a record in the table (dse) and six series of records in the tables (states), (go), (vacci), (medica), (ekg) and (hpr). The record in the table (dse) is identified by a unique number, (folder id), a unique auto-incremented number calculated by the DBMS when the record is created. This characteristic guarantees its uniqueness. (iddossier) is used as a basis to calculate using a series of irreversible and injective algorithms, a series of unique and irreversible identifiers used in the tables (cnv), (cnx), (states), (go) , (vacci), (medica), (ekg) and (hpr). It is thus possible to identify all the elements of a file from the table (dse) which contains the identifier md3. This identification and / or this access is carried out in the following way: - (md3) identifier of the file itself is stored in the table (dse);

7 2837301

  (mda), (mde), (mdm), (mdv), (mdk) and (mdh), identifiers used to identify the records that make up the folder in the tables

  (states), (go), (vacci), (medica), (ekg) and (hpr).

  For greater security, nenf identifiers are used for each file: (md3), (id3), (data), (mda), (mde), (mdm), (mdv), (mdk) and (mdh), all calculated from the base identifier hierarchically and in a determined order. The algorithms used are mathematically irreversible and injective. Since each table in folder 0 has its own identifier, it is not possible, if only one identifier is known, to reconstruct the folder. A request made with a given identifier can only have an answer on the table with which it is associated. The

  different tables are disjoined and only use different identifiers.

  We refer to Figure 2 which shows the principle of calculating the different identifiers. On this screen, (IPPV) corresponds to the patient identifier and (folder id) corresponds to the identifier (dse). From (IPPV), an algorithm (AO) allows to calculate (data!), While 2 algorithms (BO) and (CO) allow, from (data!), To calculate (mp3). From (iddossier), an algorithm (A) allows to calculate (data). From (data), another algorithm (B) allows to calculate (id3), then from an algorithm (C), to calculate (md3). From (md3), and from algorithms (D), (E), (F), (G), (H) and (I), we calculate (mda), (mde), (mdm), ( mdv), (mdk) and (mdh). For the creation of a folder in the server, according to the invention, the procedure is as follows:

8 2837301

  - we use a (DBMS) for data storage; - the files are distributed in an unlimited number of different servours; - one calculates for each file, from (iddossier) two unique linked primary identifiers called (md3) and (data), (md3) is stored in a record of the table (dse), record which constitutes the core of the file, (data) is stored in the table (cnv) used to access the file; - five wind records created in the tables (states), (go), (vacci), lo (medica) and (ekg): each of these records is used to store the data "background", "allergic", << medication and blood group >>, << electrocardiogram >> and << vaccinations >> in the dossier. These tables are linked to the file by the identifiers (mda), (mde), (mdm), (mdv) and (mdk) calculated from (md3); - the table (hpr) is used to store the events related to the file: the records of this table are linked to the file by the identifier (mdh) calculated from (md3). The self-incrementing field (idhpr) of the table (hpr) allows numbering and therefore distinguishing the different records from (hpr) which each contain an event from the same folder: all the records (hpr) from the same folder have

therefore the same identifier (mdh).

  To solve the problem of calculating (IPPV), in a unique and irreversible way, we use the content of a smart card, in particular the VITALE card which contains series of unique information, recorded by the issuing body. of said card. Those data

9 2837301

  guarantee the uniqueness of the natural person to which each corresponds

series of information.

  We choose the series of information corresponding to the patient (physical person) wanted. These data include in particular the INSEE number of the insured card holder, the date of birth and the birth order (or

  gem rank) of the chosen person.

  The value (IPPV) is calculated from this series of information using an irreversible and injective algorithm. The value (IPPV) is

  transmitted to the server during the request to consult the file.

  The server applies the value (IPPV) the algorithm (A0) to calculate the value (datal) necessary for the file identification process

associated with this (IPPV).

  To solve the problem posed of associating a file with a (IPPV), during the creation of the file, and after calculation of (md3) and (data), the servour creates a record in the table (cnv). This record makes it possible to make the link between the (IPPV) and the file which has just been created in the following way: - the field (datal) contains the value of the identifier (datal) calculated at

from (IPPV).

  - the (data) field contains the value of the identifier (data).

  We can store files in different servers (each file in each server has a separate identifier (data)) to obtain several files associated with the same identifier (data!), Which makes it possible to create several files for the same patient. This case corresponds to

2837301

  several records in (cnv) containing the same value (datal) but

different data values.

  You can also associate several (IPPV) to the same file. This case corresponds to several records in (cnv) containing the same value (data) but different values (datal). To solve the problem posed of the detailed creation of a connection for the consultation and / or the modification of a file from a Vitale card, two tables are used: l0 - the table (cnv) which contains the correspondences between patient identifiers and file identifiers - the table (cnx) which contains the parameters of the connection used for

  consult or update the file.

  l 5 We proceed as follows: - we read the series of information presented in the Vitale card; we choose the natural person (therefore a series of information) whose file we want to consult; - we apply the appropriate algorithm to the selected series of information, in order to calculate (IPPV); - a connection opening request containing the value (IPPV) is sent to the server; - the servour applies the algorithm (A0) to the value (IPPV) re, cue to calculate the identifier (datal) and searches in the table (cnv) for a record containing the value (data!);

1 1 2837301

  If the search is negative, the connection request is rejected,

  since there is no record for this value of (IPPV).

  If the search is positive, the servour reads the value (data) contained in the record of (cnv) and applies the algorithm (B) to it to obtain the value (id3); a record corresponding to the connection (which is therefore accepted) is created in the table (cnx). This record includes the following fields: - (idcnx): auto-increment by the (DBMS). It serves as an identifier for this connection; - (idps): ADELI number (optional) of the (CPS) present during the opening request, transmitted with the connection opening request; - (nba): random numerical value calculated at the time of creation of the record in (cnx) incremented with each request received, cue for this connection;

  - (hcreation): date and time of creation of the recording.

  - (hacces): date and time of the last request received, cue for this connexion. - (version): this field contains a default value which contains the version number of the server software and of the servour software downloadable on the WEB site. These data allow the client software to verify that its version is compatible with the server and possibly trigger an update. If the client version is

  different from that of the server, it refuses to connect.

  - (id3): identiSant which will be used to access the file. It is calculated from the value of the field (data) read in (cnv);

12 2837301

  - (email): contains the value of the field (email) of the table (dse) (email address of the patient); - (alert): area calculated from the alert field of the table (dse) and the ADELI n of the (PS) which opens the connection. This value allows, during subsequent requests processed by the server, to quickly determine whether to send an alert email to the patient or not; - (nomps): zone which contains the full address of the (PS), used in the alert emails sent to the patient. This zone is calculated from the table (directory), only when it is necessary to send messages to the patient. The servour identifies the file and opens the connection. It returns

(idcnx) and (nba).

  To consult a file using a previously opened connection, the client sends a consultation or modification request containing the value (idcnx). This request does not include (IPPV) which is never used to consult or modify the file; the servour searches the table (cnx) for a record containing the value (idcnx) re, cue in the request. It reads the value (id3) contained in this record; - it applies the algorithm (C) to the value (id3) to calculate (md3);

  - this value (md3) identifies the folder in the table (dse).

  If you want to access a file from a card other than the one with which it was created, two cases arise:

  a) - The data used to calculate the (IPPV) are identical.

  The (IPPV) calculated will be the same, access will therefore be done automatically. This case corresponds for example to that of an insured person who loses his card and makes it

13 2837301

  renew. The basic trots do not change from one card to another:

the (IPPV) calculated is the same.

  b) - In the case of a child's file, the data used to calculate the (IPPV) is different depending on whether the mother or father card is used: the INSEE n is not the even. The principle therefore consists in creating in the table (cnv) two records corresponding to the two (IPPV) (calculated with each card) and making them point to the same folder (i.e. two records having the same value ( Datal)). Concretely, in order not to pass a file identifier lO on the network, the procedure consists: - To open a connection on the file using the first card (the one

  which made it possible to create the file and has a recording in (cnv).

  - To introduce the second card, the fire, indicate which beneficiary of the second card must point to the file corresponding to the connection

1 5 active.

  - The server receives the request to create a link on the folder of the current connection including the new one (IPPV). He creates in (cnv) a record with the new one (IPPV) and the current file identifier: (data!). This technique allows any smart card queue to be associated with a file: it suffices to know how to calculate a unique identifier linked to the card and to have the server create a link between this new identifier and the desired file.

14 2837301

  The principle of using the medical file for the "treatment" of a pharmacout prescription between a patient, a doctor and a pharmacist is described below: - The patient goes to his doctor. During the consultation, the doctor writes a prescription in his computer; - The patient entrusts him with his Vitale card. The doctor introduces it into his Sesam Vitale reader, which already contains his (CPS). He chooses the

  patient on the list of beneficiaries on the card.

  - The doctor's software connects to the platform and transmits the prescription. The (CPS) is used to identify the doctor and the Vitale card of the

  patient selects the (DES) in which to store the prescription.

  - If the doctor requests it, the server offers a version of the prescription "optimized" in (INN) or generic products. The doctor can choose to modify his prescription according to the proposals made by the server. - In the event of an anomaly detected by the server: contraindications or drug interactions with the previous prescriptions known to the server, multiple prescriptions for the same patient, an alert message is sent to the doctor in order to draw his attention to the anomaly. It is the doctor who decides what to do when faced with

this alert.

  - When the prescription is definitively validated by the doctor, it is transmitted to the server for final recording with the signature of the doctor calculated from his (CPS). The cost of the consultation is

  also recorded (from (FSE) data).

  - The patient then goes to the pharmacy of his choice and presents his Vitale card. The pharmacist introduces it into his Sesam Vitale reader

2837301

  in which is already its (CPS). He accesses the prescription registered in the server by the doctor and downloads it securely. The electronic signature accompanying the prescription guarantees

  to the pharmacist the accuracy of the street data.

  - The pharmacist dispenses the prescription without risk of error and then registers the exact delivery accompanied by an electronic signature established from his (CPS). The (FSE) established by the pharmacist also makes it possible to record the economic data induced by this delivery. 0 - Any renewals are also processed and checked by the server.

  The advantages emerge clearly from the description, in particular

  underlines the security of the treatment process: - Each of the tables used in the (DBMS) has a specific identifier, which guarantees total tightness between the tables and the impossibility, in the event that the anonymity of an identifier is raised, to access the elements of the file other than the information

  contained in the table which corresponds to the identifier concerned.

  - Each response sent by the server includes a random number which is encrypted by the client and sent to the interior of the following request sent by the client as part of the open connection. If this element is not correctly encrypted and returned to the server, the latter terminates,

  irrevocably, upon connection / consultation.

  - To be able to consult a file, a health professional must present a (CPS). This (CPS) is used to provide tracing

16 2837301

  integral of the operations carried out in each file consulted or modified. - The server integrates a device of alerts by electronic messaging which allows the owner of a file to be systematically warned if someone consults or modifies his file. The server transmits the full identity of the health professional from the (CPS)

  must be present during the consultation.

  - The information that can be consulted by a health professional depends on the (CPS) presented. The server filters the information displayed according to the exact identity and category of health professional listed on the

(CPS).

  - During a consultation in patient only mode (that is to say in the absence of (CPS)), the patient must: Enter a 4-digit PIN code if a smart card with the identifier is present ; Enter a username, password and PIN code for a

access without smart card.

17 2837301

Claims (2)

CLAIMS -1- Creation process in a folder servour for the storage of individual medical data, folders having a unique identifier (data), characterized in that: - we use a database management servour (SGBD) for the data storage; - the files are distributed in an unlimited number of different servers; 0 - we compute for each file two linked unique primary identifiers called (md3) and (data), (md3) is stored in a record of the table (dse), record which constitutes the core of each file, (data) is stored in a table used to access the file; - we store in "secondary" tables of the (DBMS) the data constitute the file: (states), (go), (vacci), (medica), (ekg) and (hpr); each of these tables has a specific identifier calculated from (md3) using irreversible and injective algorithms, which allows the reading of a file from the recording of the table (dse) which contains (md3) , but forbidden to reconstruct the content of a file from a data contained in a secondary table, the calculation of secondary identifiers being irreversible, which means that knowledge of a secondary identifier does not allow the identifier to be calculated (md3) essential to access the entire file. -2- Method according to claim 1, characterized in that, for ['identification of the different elements of a file ,: i 2337301 - the server creates a record in the table (dse) comprising a unique identifier (iddossier) generated by the (DBMS) server; - the servour applies an algorithm (A) a (iddosier) to calculate the value (data), then the algorithm (B) a (data) to calculate (id3), then the algorithm (C) a (id3) to calculate (md3); - this value (md3) is stored in the table record (dse); a record to allow access to the created folder is created in the table (cnv). In this record the values (data) and (datal) are stored which identify the file and the carrier respectively; 1 o - algorithms (D), (E), (F), (G), (H) and (I) applied to (md3) allow to calculate the secondary identifiers (mda), (mde), (mdm) , (mdv), (mdk) and (mdh) used in the tables (states), (go), (vacci), (medica), (ekg) and (hpr). -3- Method according to claim l, characterized in that, for the calculation of a unique and irreversible patient identifier (data!): - a VITALE smart card is used which contains series of unique information, recorded by the organization issuing said card, data which guarantees the uniqueness of the natural person to whom each series of information corresponds; - we choose the series of information corresponding to the patient (physical person) wanted; these data include in particular the INSEE number of the insured card holder, the date of birth and the birth rank (or gem rank) of the chosen person; - the value (IPPV) is calculated from this series of information using an irreversible and injective algorithm; 19 2837301   - the value (IPPV) is transmitted to the server during the request to consult the file; - the servour applies to the value (IPPV) an algorithm (AO) to calculate the value (datal) necessary for the process of identification of the file belonging to this carrier. -4- Method according to claim 3, characterized in that, to associate the identifier of a file (data) with the identifier of a patient (data!): - when creating the file, once calculated (md3) and (data), the server creates a record in the table (cnv), record which contains (data) (file identifier) and (datal) (patient identifier calculated from the (IPPV) appearing in the request to create a file sent by the client); this recording establishes the correlation between the identifier of the data folder and the identifier of the holder (data!); - we store files in different servers (each file in each server has a separate identifier) to obtain several files associated with the same identifier (data!), which allows   to create several files for the same patient.   -5- Method according to claim 3, characterized in that, for the identification of the file belonging to a holder gives: - the series of information presented in the Vitale card are read; we choose the natural person (therefore a series of information) whose file we want to consult; - we apply the appropriate algorithm to the selected series of information, in order to calculate (IPPV); 2837301   - a request containing the value (IPPV) is sent to the server; - the server applies the algorithm (AO) to the value (IPPV) received to calculate the identifier (datal) and searches the table (cnv) for a record containing the value (data!); if this record exists: - the servour reads the value (data) contained in this record and applies the algorithm (B) to it to obtain the value (id3); - the server creates a record in the table (cnx), this record having an identifier (idcnx) and is used to store the value (id3); 0 - the connection is established and then allows the client to access the desired file; otherwise: - the connection request is rejected, since there is no file for this value of (IPPV).   -6- Method according to claim 3, characterized in that, for ['identification of the different elements of a file from the value (idcnx): - the server searches the table (cnx) for a record containing the value ( idcnx) received in the request and reads the value (id3) contained in this record; - the server applies the algorithm (C) to the value (id3) to calculate (md3), this value (md3) allows to find the record of the table (dse); - the algorithms (D), (E), (F), (G), (H) and (I) applied to (md3) allow to calculate the identifiers (mda), (mde), (mdm), (mdv ) 21 2837301   (mdk) and (mdh) used to access the tables (states), (go), (vacci),   (medica), (ekg) and (hpr), which contain the folder itself.   -7- The method of claim 3, characterized in that, for the security of exchanges between the client and the server: - the servour, after accepting a connection, sends the client the i denti fiant (idcnx) and the value (nba), random number generated by the server when the connection is opened; - during the next request, the client calculates a message which contains the value received from the element and some of the variables sent as a parameter with its request, and calculates an electronic signature using the algorithm (MD5) and send this signature to the server; - when it receives the request, the server calculates a message identical to that which the client has calculated, then calculates the signature (MDS); - the servour compares the two signatures and interrupts the connection in the event of an inequality, otherwise it processes the request and sends the client a new value of (nba) which must be used by the client in its next